If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Server hacked or What?

Hi Gals/Guys

My server is behaving very strangely from last 3 days. What happening is that it get restarted automatically after showing that screen of memory dumping. I checked the services and found that few of them are really strange although some of them were disable but they really look fishy.

I have attached the snapshot of the services.

I asked my Manager about this and he told me that this happened 5 months ago and he had to re-install the OS ‘cause he couldn’t find a solution to rectify this problem. Apart from services I am also attaching few of the logs which look really strange to me. Hope you people can help me.

My AV is updated, windows is also updated, I have scanned the system 2-3 times for viruses, Microsoft antispyware is also running.

Operating System is Windows 2003.

Awaiting your replies

One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Okay heres what I'm seeing(going to be doing some talking out loud so bear with me). The first unusual happenstance is at 2/10/2006 10:28:49, where a computer with the hostname of "FAIZA$" attempts to connect. Simultaneusly the MCshield service fails. I know that its a multi-proc system so it is entirely possible. Don't know if thats related.
There seem to be a lot of invalid users trying to connect. Do you have firewall logs as well? Because then we could check to see if these users are coming from the same IP/MAC address.

Heres the list of users that are invalid:
KHIDAYAT
IHAFEEZ
MUNAZZA
IMRANYOUNUS
TEHSIN
ZIAULHAQ
KNAFEES
(note this list is by no means complete)

This could also be a problem: "The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported."(bold added by yours truly)

The many, many, many attempts to connect by unauthorized users worry me. If you have firewall logs and tcpdump/windump information we would be able to help you better. Of course also follow up on the processor problems. I think thats the most likely issue.

There are some funny services there which are disabled but i see your mcsheild is
getting terminated check that you don't have anything running on the machine that
is not suppouse to be there.

There seems to be a whole bunch of netlogon failures and sign on failures.
Some of these errors suggest your client tries to sign or seal the
secure channel or something to that extent. I would check and try to disable
"Digitally encrypt or sign secure channel data (always) policy". I could be way
off but check your secure logons anyway.

Also another error suggest that machine account failed to authenticate, which is
usually caused by either multiple instances of the same computer name, or the
computer name has not replicated to every domain controller.
Hope this helps you.

About those failures logins, all of them are the users which are not on Domain so thats why we are getting message from them.

Well i have done the thing.... Reinstallation..... The last solution for Windows n best i think cause if you are not getting at the end of the problem, take the backup and wipe out the windows.

Anyways d0pp you said disabling the service is not enough i should remove them, well that what i wana know now. Is there a tool available to delete the services completely from the system for windows?.

One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

Have you been making any configuration changes to this box? There are some odd entries in that log -- disabling of lots of services (SavRoam, Smart Card, RSoP, Remote Registry, Mainboard Monitor, Distributed Link Tracking Client) is the most surprising.

As i said that after getting that screen dump problem, i looked into the services and every service i found fishy i disabled it...... After doing that system starting too much trouble....

Anyways if you see the screenshot and come to service Mainboard Monitor and see its description its showing something relating with FTP access to clients although the service name has no connection to FTP so looks fishy too me few of the others looks suspicious or useless so i disable them.

One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!